Apple paid $75,000 to the hacker for reporting the camera hijacking bugs.
There are two main types of hackers, Black Hat Hackers are the bad guys who perform hacking with malicious objectives, and White Hat Hackers are the good guys. Also referred to as ethical hackers, the white hat hackers help tech firms and organizations improve their security mechanisms by identifying and reporting inherent flaws in their products/services. They do this by using their hacking prowess and in a way they support organizations in protecting their systems and offerings from black hat hackers.
The scope for ethical hacking has expanded tremendously and it has transformed into a lucrative profession. Ryan Pickern, the founder of a proof-of-concept sharing service BugPoC, is the perfect example in this regard. The ex-security engineer at Amazon Web Services, Pickern earned a whopping $75,000 via the Apple Security Bounty program for identifying seven zero-day vulnerabilities in the iPhone camera.
Reportedly, in December 2019, Pickern was inspecting Safari for iOS by hammering the browser with “obscure corner cases” and that’s when he discovered an unusual behavior. When he examined the camera’s “intense” security model closely, he was able to find seven zero-day vulnerabilities out of which three could potentially be used for hijacking the camera.
As per the details revealed by Pickern, if the user is lured towards an infected video conferencing website, the infected version can obtain direct access to the camera.
“Put simply—the bug tricked Apple into thinking a malicious website was actually a trusted one. It did this by exploiting a series of flaws in how Safari was parsing URIs, managing Web origins, and initializing secure contexts” explained Pickern.
Here’s a preview:
The vulnerabilities were identified in the Webkit browser engine and Safari. When combined together, the flaws would let infected websites to activate cameras on iPhone, iPad, and Mac.
Eventually, Pickern hijacked the iPhone’s camera and notified Apple product security team about it. The company patched the flaws in January and rewarded Pickern with a handsome amount.
As for Apple’s Security Bounty Program; launched in December last year, the program offers white hack hackers and security research some big bucks. You can also become a part of it. More information on the Security Bounty Program is available here.